Setting \Rpc To Accept NTLM Only
I am attempting to get Outlook Anywhere (RPC/HTTP) to function using NTLM authentication only. I have used the Set-OutlookAnywhere cmdlet, and seem to be able to get it to work from an external location only if I have the Outlook 2007 client set up to use Basic authentication for Outlook Anywhere. The website has a valid third party certificate installed, and we get no security flags when attempting to go to that website via a web browser (although it does display the default web page with access denied). In checking the \Rpc website, the Directory Security is set to Integrated and to Basic. Unchecking the Basic option and restarting the web services using iisreset, and the security goes back to Integrated and Basic. In looking at the cmdlet for OutlookAnywhere, it indicates that the Internal and External web spaces can be set to use the same Authentication method. http://technet.microsoft.com/en-us/library/bb123545.aspxis the web page that I am referencing to for this information. However, when I run the command and try to set the default method to NTLM (and only NTLM), I get the following error: Set-OutlookAnywhere : A parameter cannot be found that matches parameter name 'DefaultAuthenticationMethod'.At line:1 char:63+ Set-OutlookAnywhere -Name:LSS003 -DefaultAuthenticationMethod:N <<<< tlm Makes sense since running a get-help Set-OutlookAnywhere command does not show a -DefaultAuthenticationMethod paramater. I would really like to make it so that I can configure users to use RPC/HTTP regardless of thier location (internal or external), and avoid them having to put in credentials needlessly when on the LAN. I can set the Outlook 2007 validation to NTLM and it does not cause a challenge when internal; yet externally Icannot connect without going to Basic. Our normal configuartion is acomputer using Windows XP and Outlook 2007. Thanks in advance! Jim@Work
November 16th, 2007 1:04am

This wasa problem in 2007 RTM which is fixed in SP1.
Free Windows Admin Tool Kit Click here and download it now
December 11th, 2007 8:24pm

As a bit of a follow up, Anil Chaudhary is correct in that the functionality was addressed in SP1. The long and the short of it is, for us to use Outlook Anywhere succesfully, the external facing website needed to be set to Basic authentication. We do not attempt to use NTLM or Kerberos for any Outlook Anywhere authentication. Jim
March 10th, 2008 11:23pm

So did you find NTLM does not work at all externally, or was it an orginizational thing?
Free Windows Admin Tool Kit Click here and download it now
March 11th, 2008 2:35am

We're using ISA 2006 as our gatekeeper. We have only been able to get things working for externally connecting users by using Basic authentication for the Outlook Anywhere feature. Jim@work
March 11th, 2008 9:23pm

So, can I ask what the solution is for the internal users? Are they not running Outlook Anywhere (or) are they running Outlook Anywhereand being prompted for credentials upon launch? Were in the exact dilemma and would like to run Outlook Anywhere for all users. Our particular problem for internal usersis that we cannot get AutoDiscover toset 'NTLM Authentication' via the Set-OutlookAnywhere -Name:CAS01 -DefaultAuthenticationMethod:NTLM command. Thanks
Free Windows Admin Tool Kit Click here and download it now
March 13th, 2008 9:18pm

I've got it set to allow basic or NTLM and its working great for me internally and externally; i don't think there is really a bug there, its just a config thing, however we are not using exchange proxy settings for internal only users (desktop), as this puts increased load on the CAS servers.
March 13th, 2008 11:26pm

Ok, but according to the Set-OutlookAnywhere syntax, the DefaultAuthentication parameterstates: This parameter can be used to set both the ClientAuthenticationMethod parameter and the IISAuthenticationMethods parameter to the same value. When you set an authentication value by using the DefaultAuthenticationMethod parameter, you force the specified authentication method to be used on the /rpc virtual directory in Internet Information Services (IIS). The authentication method can be set to Basic or NTLM. Furthermore, the ClientAuthentication Method parameter states: This parameter specifies the authentication method that the Autodiscover service will provide to the Outlook Anywhere clients to authenticate to the Client Access server. The authentication method can be set to Basic or NTLM. So in theory, Autodiscover should be forcing our internal clients to authenticate via NTLM. Instead, the Test E-mail AutoConfiguration from an internal Outlook Anywhere desktopreturns: Auth Package: Unspecified I have to believe someone out there is using Autodiscover to push NTLM based authentication. Any help, pretty pretty please!?!?
Free Windows Admin Tool Kit Click here and download it now
March 14th, 2008 4:23am

when i did the -clientauthentication i added "NTLM, Basic" i also did: set-outlookanywhere -identity GUID -IISauthenticationmethods NTLM, Basic Mine works for both, autodsicover pushes NTLM, not sure why though...because i listed it first? :-)
March 14th, 2008 6:21pm

Knightly, I'm a colleague of buhockey's working on the same problem. If you do a Get-OutlookAnywhere |fl, what does it list for ClientAuthenticationMethod? The documentation says that you can only supply one authentication type for that argument. Ours is set to NTLM, and IISAuthenticationMethods is also set to only NTLM, though we have also had it set to NTLM, Basic with no difference. AutoConfigure still returns "Auth Package: Unspecified" Thanks for any help, Rich
Free Windows Admin Tool Kit Click here and download it now
March 14th, 2008 6:37pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics